How to Check Windows Run Dialog History (RunMRU)

Windows keeps a record of commands submitted through the Run dialog. Here's where to find RunMRU, how to read it safely, and what counts as evidence something ran.

Published July 9, 2026

Quick Answer

How do I check Windows Run dialog history?

Open the Registry Editor and go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU. Each lettered value shows a command submitted through Run, and MRUList shows the most-recent order. View only; do not edit the registry while checking.

Premium GuardPick hero showing a generic RunMRU history viewer, registry breadcrumb, read-only safety card, and teal shield

What You’ll Achieve

  • Find the exact list of commands actually submitted through Windows Run
  • Tell the difference between “I pasted it” and “I ran it”
  • Time needed: about 2 minutes
  • Difficulty: Beginner

Experience note: Used this exact check while confirming whether a suspicious command had run on my own machine.

After nearly pasting a malicious ClickFix command into my own terminal, the question I actually needed answered wasn’t “is this dangerous.” I already knew that part. It was “did I already run it without realizing.” On a Mac, that answer lives in shell history. On Windows, if the delivery method was the Run dialog rather than PowerShell directly, it lives in a registry key almost nobody checks: RunMRU.

Before opening Registry Editor

  • You are only viewing the RunMRU key, not editing the registry.
  • Do not delete values just because they look unfamiliar.
  • Take a screenshot or copy the suspicious command into a note before changing anything.
  • If files are actively changing or encrypting, disconnect from Wi-Fi first and move to incident cleanup.

What RunMRU Actually Records

RunMRU stands for “Run - Most Recently Used.” Windows keeps this list so the Run dialog can autocomplete commands you’ve typed before. As a side effect, it also becomes a record of exactly what you’ve submitted, not just typed, through Win+R over time.

That distinction matters here. Pasting text into Run does nothing by itself. RunMRU only records a command once you’ve pressed Enter or clicked OK. If you’re trying to confirm whether something you pasted ever actually ran, this key gives a direct answer instead of a guess.

Step 1: Open the Registry Editor

Press Win+R, type regedit, and press Enter. Opening the Registry Editor to view this key is safe. The caution that applies to the registry is about editing or deleting values you don’t understand, not about looking at them.

Step 2: Navigate to the RunMRU Key

Paste this path into the address bar at the top of the Registry Editor window (yes, pasting into the Registry Editor’s own address bar is fine, it navigates rather than executes anything):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Where I Got Stuck:

The first time I looked at this key, the values are labeled a, b, c, and so on rather than anything obviously readable, and the order isn’t top to bottom the way you’d expect. The MRUList value at the bottom tells you the actual order, most recent letter first. Skip that step and you’ll misread which command was most recent.

Step 3: Read the Entries

Click through each lettered value. The data column shows the exact text that was submitted through Run, usually followed by \1 at the end, which you can ignore. Check the MRUList value first to know which letter represents the most recent entry, then work backward from there.

Look specifically for anything referencing powershell, cmd, curl, iwr, certutil, or a URL you don’t recognize. Ordinary use of Run tends to be short, familiar things like notepad, cmd, or a folder path. A long string with encoded text or a pipe symbol is not ordinary use.

Practical checklist

What to look for in RunMRU

Most Run history entries are boring. The suspicious ones usually stand out because they are long, encoded, or network-connected.

Normal-looking

  • Short app names like notepad, calc, cmd, or regedit.
  • Folder paths you recognize.
  • Commands you remember intentionally opening.

Suspicious

  • powershell or cmd followed by a long command.
  • curl, iwr, certutil, or a URL you do not recognize.
  • Encoded strings, pipe symbols, or hidden-window flags.

Next checks

  • Check PowerShell history separately.
  • Review startup apps and scheduled tasks.
  • Run a full scan if you find a matching command.

Step 4: Check PowerShell History Separately If Needed

RunMRU only covers the Win+R dialog itself. If you’re not sure whether a command was pasted directly into an open PowerShell window instead, that has its own, separate history file:

Get-Content (Get-PSReadLineOption).HistorySavePath

This prints PowerShell’s command history directly, which will show a command whether it was typed or pasted, as long as it was actually submitted.

What Counts as Proof

Finding nothing matching in either RunMRU or PowerShell history is a strong sign the command was never submitted through those paths, especially if there are no suspicious startup items afterward. It is not a perfect forensic guarantee, but it is enough for most home checks. Finding an exact or close match means you should assume it ran and move to a full scan plus the checks in our virus symptom checklist. If the command itself is still visible somewhere, use the command-safety guide to decode and read it first.

Myth check

Run history myths

RunMRU is useful, but it is not a complete forensic timeline. Use it for the question it actually answers.

Myth

If I pasted it into Run, it will appear in RunMRU.

Reality

RunMRU records submitted commands, not text that was pasted and then closed without pressing Enter or OK.

GuardPick take

A missing entry is reassuring when you know Run was the only place involved.

Also check PowerShell history if a terminal window may have been used.

Myth

Registry Editor is dangerous to open.

Reality

Viewing a key is safe. Editing or deleting values without understanding them is the risky part.

GuardPick take

Read-only inspection is fine; registry cleanup is a different task.

Navigate to the key, read the values, and leave the rest alone.

Myth

No RunMRU entry proves the computer is clean.

Reality

It only suggests the command was not submitted through the Run dialog.

GuardPick take

Use it as one strong clue, not as the whole investigation.

Pair it with PowerShell history, startup checks, and a full scan if the risk is serious.

Frequently Asked Questions

How do I check Windows Run dialog history?
Open the Registry Editor and go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU. Each lettered value shows a command submitted through Run, and MRUList shows the most-recent order. View only; do not edit the registry while checking.
Does RunMRU show commands I typed but didn't submit?
No. Only commands you pressed Enter or clicked OK on appear here. If you pasted something into Run and closed the window without submitting it, it will not show up in this list.
Is opening the Registry Editor to check this safe?
Yes, viewing this key is safe. The risk in the Registry Editor comes from editing or deleting values you don't understand, not from opening it to look around. Don't delete or modify anything outside the RunMRU key while you're in there.
Is RunMRU the same as my PowerShell history?
No, they're separate. RunMRU only logs the Win+R dialog. PowerShell keeps its own history file, viewable by running (Get-PSReadLineOption).HistorySavePath in a PowerShell window and opening the file it points to, and Command Prompt keeps a separate in-session history that isn't saved after you close the window.
What should I do if I find a suspicious command in RunMRU?
Note the exact command, then check the signs covered in our virus symptom checklist and run a full antivirus scan. If the command matched a known ClickFix pattern, our command-safety guide walks through what to look for, and the virus symptom checklist covers what to check afterward.
Steven Doan

Written by

Steven Doan

Web developer. Managed 20+ WordPress sites, dealt with malware firsthand, ran self-managed VPS servers. I review security software the way a developer would — not a lab tester.

Follow me:

Stay in the loop

New security software reviews, deals, and honest takes. No spam.

UI only — backend coming soon.

More Guides

🛡️ Looking for the best antivirus in 2026?

We tested and ranked the top options — honest picks, real prices.